The Buffer Overflow vulnerability has been around for almost 3 decades and it’s still going strong. Hackers all around the world continue to name it as their default tactic due to the huge number of susceptible web applications. But what steps are organizations (devs) taking to combat this vulnerability? What role does secure coding play in eliminating this threat? This article also includes an ethical hacker’s Buffer Overflow POC along with a brief Q&A.
As per Statista.com, over 80% of the desktop computers in use today (correct for Sep 2015) are powered by Microsoft Windows. While Windows 7 is by far the most commonly used version (51.5%), the “vintage” Windows XP is still popular with almost 10% of the share. This is where Indian ethical hacker Neeraj Godkhindi has exposed a glaring vulnerability.
A seasoned security researcher based in Bangalore, Godkhindi exploited the Buffer Overflow loophole to trick the Windows XP system and gain remote access to the machine.
The Buffer Overflow is one of the oldest vulnerabilities known to man. It can be tracked all the way back to the late 80s, when the self-propagating Morris Worm wreaked havoc.
Modern applications implement virtual memory fundamentals, unlike physical memory addresses in old times. When virtual memory is used, application code and the processor make use of virtual memory addresses. In other words, the OS and the chipset work in sync to map and coordinate between virtual and physical memory addresses.
The temporary storage areas in the memory are also known as buffers. When the application can be tricked (usually due to coding errors) into storing more data than the buffer can hold, it overflows into adjacent buffers. This Buffer Overflow can lead to a wide range of issues, including data corruption, segmentation faults, exceptions and more.
The probability of this vulnerability differs from language to language, but C, C++ and Assembly are considered most susceptible due to their outdated memory management capabilities. Advanced hackers can initiate Buffer Overflows with specially crafted malicious payloads to cause application crashing, data theft or even give them remote access.
Neeraj Godkhindi, a seasoned researcher with years of experience with the Windows OS, showed how he exploits a vulnerable app to gain control of the victim’s PC. He used:
The “Easy RM to MP3 Converter” application doesn’t contain any form of input length verification mechanism, making it a convenient hacking medium for the POC. Godkhindi also used the debugger to monitor the status of registers and showcase how the hacking works. He then initiates the process by trying to convert a larger than allowed music file.
Once the application crashes, the hacking process is initiated. Godkhindi overrides the EIP with a 41414141 sequence. He thus shows that he can control the ESP and manipulate the Windows OS via the vulnerable application. Then he uploads a personally-crafted malicious file to the app, which makes the Windows calculator pop up. The POC is thus complete.
Godkhindi went on to say that while his POC didn’t involve anything “fancy”, hackers can wreak havoc on compromised machines after gaining shell access via this loophole.
Neeraj Godkhindi hacks into a Windows XP powered computer.
Neeraj Godkhindi talked to Checkmarx about Windows security. He stressed that similar hacks can also be performed on newer Windows versions (Windows 7/10).
Q – What do you think about the current level of security in Windows applications?
A – “I personally think that application security is still not where it should be. Applications have become very dynamic in nature and code integrity is not where it should be.”
Q – How can Windows applications be free of the Buffer Overflow flaws?
A – “Fuzzing and reverse engineering are effective ways to locate Buffer Overflow vulnerabilities. But unfortunately these are very difficult to implement during development.”
“I recommend the implementation of Source Code Analysis (SCA) since it’s a practical way to locate vulnerabilities in the application code, before the software is released to the market. Not only are potential Buffer Overflow pitfalls located at early, they can also help developers understand the fundamentals of secure coding,” Godkhindi explained.
Godkhindi also named security tools Windows application developers can utilize. He recommends using – /GS Stack buffer overrun detection, /SafeSEH exception handling protection, Structured Exception Handler Overwrite Protection (SEHOP), Data Execution Prevention (DEP), Address space layout randomization (ASLR) and Pointer Encoding.
While this article has dealt specifically with the Windows platform, the buffer overflow threat exists on other systems and platforms. Application security cannot be complete without secure coding and optimal memory management. Developers have to start implementing security during the development phases to eliminate these threats.
Neeraj Godkhindi and security experts worldwide are recommending the integration of SAST solutions straight into development process. This leads to the creation of a secure Software Development Life Cycle (sSDLC), enabling the detection and mitigation of coding errors and application-layer vulnerabilities. Code integrity is thus significantly improved.
But introducing code scanning into the Software Life Cycle (SLC) is still not enough, since there are no hack-proof applications. Adopting a multi-layered approach has become crucial. For example, coupling Static Code Analysis (SCA) during the development stages with Penetration (Pen) Testing prior to release can be a formidable AppSec combo.
The time to boost Windows security is now.
|Neeraj Godkhindi (@) is an IT professional based in Bangalore, India. He currently works as a technical lead, offering his services to major financial clients from US. Besides his primary work, Godkhindi is also an ethical hacker. He has performed major attacks by using Buffer Overflows and DLL Injections, while doing his best to educate and alert developers worldwide.|
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.